Merge pull request #1 from 18F/cookie_renew_115

jehiah · jehiah · commit afa45ff0ebc6 · 2015-06-23T07:13:18.000-04:00
Reproduce cookie refresh bugs, validate fixes
diff --git a/cookies.go b/cookies.go
@@ -27,6 +27,10 @@ func validateCookie(cookie *http.Cookie, seed string, expiration time.Duration)
 		if err != nil {
 			return
 		}
+		// The expiration timestamp set when the cookie was created
+		// isn't sent back by the browser. Hence, we check whether the
+		// creation timestamp stored in the cookie falls within the
+		// window defined by (Now()-expiration, Now()].
 		t = time.Unix(int64(ts), 0)
 		if t.After(time.Now().Add(expiration*-1)) && t.Before(time.Now().Add(time.Minute*5)) {
 			// it's a valid cookie. now get the contents
diff --git a/oauthproxy.go b/oauthproxy.go
@@ -239,7 +239,7 @@ func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (e
 	if err != nil {
 		log.Printf(err.Error())
 		ok = false
-	} else if ok && p.CookieRefresh != time.Duration(0) && value != "" {
+	} else if ok && p.CookieRefresh != time.Duration(0) {
 		refresh := timestamp.Add(p.CookieRefresh)
 		if refresh.Before(time.Now()) {
 			ok = p.Validator(email) && p.provider.ValidateToken(access_token)
diff --git a/oauthproxy_test.go b/oauthproxy_test.go
@@ -457,6 +457,37 @@ func TestProcessCookieRefreshThresholdNotCrossed(t *testing.T) {
 	assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
 }
 
+func TestProcessCookieFailIfCookieExpired(t *testing.T) {
+	pc_test := NewProcessCookieTestWithDefaults()
+	pc_test.proxy.CookieExpire = time.Duration(24) * time.Hour
+	reference := time.Now().Add(time.Duration(25) * time.Hour * -1)
+	cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token", reference)
+	pc_test.req.AddCookie(cookie)
+
+	if _, _, _, ok := pc_test.ProcessCookie(); ok {
+		t.Error("ProcessCookie() should have failed")
+	}
+	if set_cookie := pc_test.rw.HeaderMap["Set-Cookie"]; set_cookie != nil {
+		t.Error("expected Set-Cookie to be nil, instead was: ", set_cookie)
+	}
+}
+
+func TestProcessCookieFailIfRefreshSetAndCookieExpired(t *testing.T) {
+	pc_test := NewProcessCookieTestWithDefaults()
+	pc_test.proxy.CookieExpire = time.Duration(24) * time.Hour
+	reference := time.Now().Add(time.Duration(25) * time.Hour * -1)
+	cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token", reference)
+	pc_test.req.AddCookie(cookie)
+
+	pc_test.proxy.CookieRefresh = time.Hour
+	if _, _, _, ok := pc_test.ProcessCookie(); ok {
+		t.Error("ProcessCookie() should have failed")
+	}
+	if set_cookie := pc_test.rw.HeaderMap["Set-Cookie"]; set_cookie != nil {
+		t.Error("expected Set-Cookie to be nil, instead was: ", set_cookie)
+	}
+}
+
 func TestProcessCookieFailIfRefreshSetAndTokenNoLongerValid(t *testing.T) {
 	pc_test := NewProcessCookieTest(ProcessCookieTestOpts{
 		provider_validate_cookie_response: false,
